Firebird Backdoor Tentatively Linked With Indian APT

The group of individuals known as DoNot Team has been connected to the deployment of a new .NET-based backdoor called Firebird, which has been directed at a limited number of targets in Pakistan and Afghanistan.

Cybersecurity researchers stated that the attack sequences are also set up to introduce a downloader named CSVtyrei, named as such due to its resemblance to Vtyrei. Certain sections of the provided code appeared to be non-operational, indicating ongoing development efforts.

Vtyrei (also known as BREEZESUGAR) refers to an initial payload and downloader strain that the threat actor had previously utilized to distribute a malware framework known as RTY.

DoNot Team, which also goes by the aliases APT-C-35, Origami Elephant, and SECTOR02, is believed to originate from India. Their attacks involve the use of spear-phishing emails and rogue Android apps to propagate malware.

The most recent evaluation by researchers expands on an examination of the dual attack campaigns by this threat actor in April 2023, where they deployed the Agent K11 and RTY frameworks.

ElizaRAT Used in Attacks on India

This disclosure comes in the wake of Zscaler ThreatLabz revealing new malicious activities undertaken by the Pakistan-based Transparent Tribe (also known as APT36). This group has been targeting sectors of the Indian government using an updated arsenal of malware, which includes a previously undocumented Windows trojan named ElizaRAT.

ElizaRAT is delivered as a .NET binary and establishes a communication channel through Telegram, allowing threat actors to gain complete control over the targeted endpoint.

Transparent Tribe, active since 2013, has utilized tactics like credential harvesting and malware distribution, often distributing tampered installers of Indian government applications such as Kavach multi-factor authentication. They have also weaponized open-source command-and-control (C2) frameworks like Mythic.

In a sign that this hacking group has turned its attention to Linux systems, Zscaler noted that they found a small set of desktop entry files that facilitate the execution of Python-based ELF binaries. These include GLOBSHELL for exfiltrating files and PYSHELLFOX for stealing session data from the Mozilla Firefox browser.

By Zaib
October 24, 2023
Computer Security
English
October 24, 2023
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Malware

WhiskerSpy Backdoor Linked to APT

Researchers have identified a new backdoor that has been linked to the advanced persistent threat group Earth Kitsune, a group they have previously studied. Earth Kitsune has been distributing self-developed backdoors... Read more

February 20, 2023
Trojan

MagicRAT Possibly Linked to Lazarus Group APT

MagicRAT is a newly discovered remote access trojan malware. Researchers have discovered signs and markers that link the new RAT to the North Korean advanced persistent threat actor known as Lazarus Group. MagicRAT is... Read more

September 12, 2022
Malware

Giddome Backdoor Linked to Russian Threat Actor

Security researchers with Symantec recently published a report on new activity conducted by Russian threat actors and aimed at Ukrainian targets. The threat actor is known by several aliases, including Gamaredon and... Read more

August 18, 2022
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.